2

Right now anyone can access my assets by doing http://localhost:4200/assets/filename.pdf even when the user is not logged in. How can I protect my assets by using canActivate?

Something like this would be ideal: { path: 'assets/*', canActivate: [LoginService] },

Thanks.

ilovelamp
  • 739
  • 3
  • 9
  • 20
  • I hope, we can't do it. canActive is for routing purpose. https://blog.thoughtram.io/angular/2016/07/18/guards-in-angular-2.html – k11k2 Jul 26 '17 at 05:05

2 Answers2

1

No. You want to use use server-side authentication and authorization to protect file access.

Always assume anyone can access assets in your Angular application.

Martin
  • 15,820
  • 4
  • 47
  • 56
  • So you would recommend me moving assets that shouldn't be accessible to logged out users outside the `assets` folder and use something like `node.js` to protect their access? – ilovelamp Jul 25 '17 at 21:30
  • @ilovelamp Yes. Use `node.js` or any other server side technology to protect any files or records that users should be authorized to access. – Martin Jul 26 '17 at 10:47
  • @Martin, what about if I want to forbid access to the http://localhost:4200/assets/ and see all my website assets, should I set that specific path and redirects to a custom page? – Jun Apr 04 '18 at 18:13
1

You want to authenticate via the backend, but you also want to set up your routing in Angular using canActivate and something like AuthGuard so that the only initial route that can be accessed is the login route/component. That way no other assets/routes are available until after login authentication has happened.

Muirik
  • 6,049
  • 7
  • 58
  • 116